silgi 0.0.14 → 0.1.0-beta.2

package/dist/plugins/pubsub.mjs

@@ -0,0 +1,53 @@
+//#region src/plugins/pubsub.ts
+var MemoryPubSub = class {
+	#listeners = /* @__PURE__ */ new Map();
+	async publish(channel, data) {
+		const listeners = this.#listeners.get(channel);
+		if (!listeners) return;
+		for (const cb of listeners) cb(data);
+	}
+	subscribe(channel, callback) {
+		let set = this.#listeners.get(channel);
+		if (!set) {
+			set = /* @__PURE__ */ new Set();
+			this.#listeners.set(channel, set);
+		}
+		set.add(callback);
+		return () => {
+			set.delete(callback);
+			if (set.size === 0) this.#listeners.delete(channel);
+		};
+	}
+};
+/**
+* Create a publisher from a PubSub backend.
+*
+* The publisher exposes `publish()` for mutations and `subscribe()`
+* as an async generator for SSE/WebSocket subscriptions.
+*/
+function createPublisher(backend) {
+	return {
+		publish: (channel, data) => backend.publish(channel, data),
+		async *subscribe(channel) {
+			const queue = [];
+			let resolve = null;
+			const unsubscribe = backend.subscribe(channel, (data) => {
+				queue.push(data);
+				if (resolve) {
+					resolve();
+					resolve = null;
+				}
+			});
+			try {
+				while (true) if (queue.length > 0) yield queue.shift();
+				else await new Promise((r) => {
+					resolve = r;
+				});
+			} finally {
+				unsubscribe();
+			}
+		}
+	};
+}
+//#endregion
+export { MemoryPubSub, createPublisher };

package/dist/plugins/ratelimit.d.mts

@@ -0,0 +1,51 @@
+import { GuardDef } from "../types.mjs";
+
+//#region src/plugins/ratelimit.d.ts
+interface RateLimitResult {
+  success: boolean;
+  limit: number;
+  remaining: number;
+  reset: number;
+}
+interface RateLimiter {
+  limit(key: string): Promise<RateLimitResult>;
+}
+interface MemoryRateLimiterOptions {
+  /** Maximum requests per window */
+  limit: number;
+  /** Window duration in milliseconds */
+  windowMs: number;
+}
+declare class MemoryRateLimiter implements RateLimiter {
+  #private;
+  constructor(options: MemoryRateLimiterOptions);
+  limit(key: string): Promise<RateLimitResult>;
+}
+interface RateLimitGuardOptions {
+  /** The rate limiter instance */
+  limiter: RateLimiter;
+  /** Extract rate limit key from context */
+  keyFn: (ctx: Record<string, unknown>) => string | Promise<string>;
+  /** Custom error message */
+  message?: string;
+}
+/**
+ * Create a rate limiting guard.
+ *
+ * @example
+ * ```ts
+ * import { rateLimitGuard, MemoryRateLimiter } from "silgi/ratelimit"
+ *
+ * const rateLimit = rateLimitGuard({
+ *   limiter: new MemoryRateLimiter({ limit: 100, windowMs: 60_000 }),
+ *   keyFn: (ctx) => (ctx as any).ip ?? "anonymous",
+ * })
+ *
+ * const proc = k
+ *   .$use(rateLimit)
+ *   .$resolve(() => ({ ok: true }))
+ * ```
+ */
+declare function rateLimitGuard(options: RateLimitGuardOptions): GuardDef<any, any>;
+//#endregion
+export { MemoryRateLimiter, MemoryRateLimiterOptions, RateLimitGuardOptions, RateLimitResult, RateLimiter, rateLimitGuard };

package/dist/plugins/ratelimit.mjs

@@ -0,0 +1,81 @@
+import { SilgiError } from "../core/error.mjs";
+//#region src/plugins/ratelimit.ts
+/**
+* Rate limiting plugin — v2 guard middleware.
+*
+* Sliding window in-memory rate limiter.
+* Pluggable: swap MemoryRateLimiter for Redis/Upstash/etc.
+*/
+var MemoryRateLimiter = class {
+	#limit;
+	#windowMs;
+	#store = /* @__PURE__ */ new Map();
+	constructor(options) {
+		this.#limit = options.limit;
+		this.#windowMs = options.windowMs;
+	}
+	async limit(key) {
+		const now = Date.now();
+		const windowStart = now - this.#windowMs;
+		let timestamps = this.#store.get(key);
+		if (!timestamps) {
+			timestamps = [];
+			this.#store.set(key, timestamps);
+		}
+		while (timestamps.length > 0 && timestamps[0] < windowStart) timestamps.shift();
+		const remaining = Math.max(0, this.#limit - timestamps.length);
+		const reset = timestamps.length > 0 ? timestamps[0] + this.#windowMs : now + this.#windowMs;
+		if (timestamps.length >= this.#limit) return {
+			success: false,
+			limit: this.#limit,
+			remaining: 0,
+			reset
+		};
+		timestamps.push(now);
+		return {
+			success: true,
+			limit: this.#limit,
+			remaining: remaining - 1,
+			reset
+		};
+	}
+};
+/**
+* Create a rate limiting guard.
+*
+* @example
+* ```ts
+* import { rateLimitGuard, MemoryRateLimiter } from "silgi/ratelimit"
+*
+* const rateLimit = rateLimitGuard({
+*   limiter: new MemoryRateLimiter({ limit: 100, windowMs: 60_000 }),
+*   keyFn: (ctx) => (ctx as any).ip ?? "anonymous",
+* })
+*
+* const proc = k
+*   .$use(rateLimit)
+*   .$resolve(() => ({ ok: true }))
+* ```
+*/
+function rateLimitGuard(options) {
+	return {
+		kind: "guard",
+		fn: async (ctx) => {
+			const key = await options.keyFn(ctx);
+			const result = await options.limiter.limit(key);
+			if (!result.success) throw new SilgiError("TOO_MANY_REQUESTS", {
+				status: 429,
+				message: options.message ?? "Rate limit exceeded",
+				data: {
+					limit: result.limit,
+					remaining: result.remaining,
+					reset: result.reset,
+					retryAfter: Math.ceil((result.reset - Date.now()) / 1e3)
+				}
+			});
+			return { rateLimit: result };
+		}
+	};
+}
+//#endregion
+export { MemoryRateLimiter, rateLimitGuard };

package/dist/plugins/signing.d.mts

@@ -0,0 +1,41 @@
+//#region src/plugins/signing.d.ts
+/**
+ * Signing & Encryption utilities — HMAC-SHA256 and AES-GCM.
+ *
+ * Uses the Web Crypto API (works in Node.js, Bun, Deno, Cloudflare Workers).
+ *
+ * @example
+ * ```ts
+ * import { sign, unsign, encrypt, decrypt } from "silgi/plugins"
+ *
+ * // Sign a value (tamper-proof)
+ * const signed = await sign("user:123", "my-secret")
+ * const value = await unsign(signed, "my-secret") // "user:123" or null
+ *
+ * // Encrypt a value (confidential)
+ * const encrypted = await encrypt("sensitive-data", "my-secret")
+ * const decrypted = await decrypt(encrypted, "my-secret") // "sensitive-data"
+ * ```
+ */
+/**
+ * Sign a string value with HMAC-SHA256.
+ * Returns `value.signature` — use `unsign()` to verify.
+ */
+declare function sign(value: string, secret: string): Promise<string>;
+/**
+ * Verify and extract a signed value.
+ * Returns the original value if valid, or `null` if tampered.
+ */
+declare function unsign(signed: string, secret: string): Promise<string | null>;
+/**
+ * Encrypt a string with AES-256-GCM (PBKDF2 key derivation).
+ * Returns a base64url-encoded string containing salt + iv + ciphertext.
+ */
+declare function encrypt(plaintext: string, secret: string): Promise<string>;
+/**
+ * Decrypt a string encrypted with `encrypt()`.
+ * Returns the original plaintext, or throws if the secret is wrong.
+ */
+declare function decrypt(encrypted: string, secret: string): Promise<string>;
+//#endregion
+export { decrypt, encrypt, sign, unsign };

package/dist/plugins/signing.mjs

@@ -0,0 +1,115 @@
+//#region src/plugins/signing.ts
+/**
+* Signing & Encryption utilities — HMAC-SHA256 and AES-GCM.
+*
+* Uses the Web Crypto API (works in Node.js, Bun, Deno, Cloudflare Workers).
+*
+* @example
+* ```ts
+* import { sign, unsign, encrypt, decrypt } from "silgi/plugins"
+*
+* // Sign a value (tamper-proof)
+* const signed = await sign("user:123", "my-secret")
+* const value = await unsign(signed, "my-secret") // "user:123" or null
+*
+* // Encrypt a value (confidential)
+* const encrypted = await encrypt("sensitive-data", "my-secret")
+* const decrypted = await decrypt(encrypted, "my-secret") // "sensitive-data"
+* ```
+*/
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+async function getSigningKey(secret) {
+	return crypto.subtle.importKey("raw", encoder.encode(secret), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign", "verify"]);
+}
+function toHex(buffer) {
+	return Array.from(new Uint8Array(buffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function fromHex(hex) {
+	if (hex.length % 2 !== 0 || hex.length === 0) return null;
+	if (!/^[0-9a-f]+$/i.test(hex)) return null;
+	const bytes = new Uint8Array(hex.length / 2);
+	for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+	return bytes;
+}
+/**
+* Sign a string value with HMAC-SHA256.
+* Returns `value.signature` — use `unsign()` to verify.
+*/
+async function sign(value, secret) {
+	const key = await getSigningKey(secret);
+	return `${value}.${toHex(await crypto.subtle.sign("HMAC", key, encoder.encode(value)))}`;
+}
+/**
+* Verify and extract a signed value.
+* Returns the original value if valid, or `null` if tampered.
+*/
+async function unsign(signed, secret) {
+	const dotIdx = signed.lastIndexOf(".");
+	if (dotIdx === -1) return null;
+	const value = signed.slice(0, dotIdx);
+	const expected = fromHex(signed.slice(dotIdx + 1));
+	if (!expected) return null;
+	const key = await getSigningKey(secret);
+	return await crypto.subtle.verify("HMAC", key, expected.buffer, encoder.encode(value)) ? value : null;
+}
+async function getEncryptionKey(secret, salt) {
+	const keyMaterial = await crypto.subtle.importKey("raw", encoder.encode(secret), "PBKDF2", false, ["deriveKey"]);
+	return crypto.subtle.deriveKey({
+		name: "PBKDF2",
+		salt: salt.buffer,
+		iterations: 1e5,
+		hash: "SHA-256"
+	}, keyMaterial, {
+		name: "AES-GCM",
+		length: 256
+	}, false, ["encrypt", "decrypt"]);
+}
+/**
+* Encrypt a string with AES-256-GCM (PBKDF2 key derivation).
+* Returns a base64url-encoded string containing salt + iv + ciphertext.
+*/
+async function encrypt(plaintext, secret) {
+	const salt = crypto.getRandomValues(new Uint8Array(16));
+	const iv = crypto.getRandomValues(new Uint8Array(12));
+	const key = await getEncryptionKey(secret, salt);
+	const ciphertext = await crypto.subtle.encrypt({
+		name: "AES-GCM",
+		iv
+	}, key, encoder.encode(plaintext));
+	const combined = new Uint8Array(salt.length + iv.length + ciphertext.byteLength);
+	combined.set(salt, 0);
+	combined.set(iv, salt.length);
+	combined.set(new Uint8Array(ciphertext), salt.length + iv.length);
+	return base64urlEncode(combined);
+}
+/**
+* Decrypt a string encrypted with `encrypt()`.
+* Returns the original plaintext, or throws if the secret is wrong.
+*/
+async function decrypt(encrypted, secret) {
+	const combined = base64urlDecode(encrypted);
+	const salt = combined.slice(0, 16);
+	const iv = combined.slice(16, 28);
+	const ciphertext = combined.slice(28);
+	const key = await getEncryptionKey(secret, salt);
+	const plaintext = await crypto.subtle.decrypt({
+		name: "AES-GCM",
+		iv
+	}, key, ciphertext);
+	return decoder.decode(plaintext);
+}
+function base64urlEncode(data) {
+	return btoa(String.fromCharCode(...data)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(str) {
+	const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+	const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+	const binary = atob(padded);
+	return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+//#endregion
+export { decrypt, encrypt, sign, unsign };

package/dist/plugins/strict-get.d.mts

@@ -0,0 +1,10 @@
+import { GuardDef } from "../types.mjs";
+
+//#region src/plugins/strict-get.d.ts
+/**
+ * Guard that rejects non-GET requests. Use on query procedures
+ * to enforce RESTful method semantics and prevent CSRF.
+ */
+declare const strictGetGuard: GuardDef<Record<string, unknown>>;
+//#endregion
+export { strictGetGuard };

package/dist/plugins/strict-get.mjs

@@ -0,0 +1,33 @@
+import { SilgiError } from "../core/error.mjs";
+//#region src/plugins/strict-get.ts
+/**
+* Strict GET method guard — enforce GET for query procedures.
+*
+* Rejects non-GET requests to query procedures with 405 Method Not Allowed.
+* Mutations must use POST. This prevents CSRF on read endpoints.
+*
+* @example
+* ```ts
+* import { strictGetGuard } from "silgi/plugins"
+*
+* const listUsers = k
+*   .$use(strictGetGuard)
+*   .$resolve(({ ctx }) => ctx.db.users.findMany())
+* ```
+*/
+/**
+* Guard that rejects non-GET requests. Use on query procedures
+* to enforce RESTful method semantics and prevent CSRF.
+*/
+const strictGetGuard = {
+	kind: "guard",
+	fn: (ctx) => {
+		const method = ctx.method;
+		if (method && method !== "GET" && method !== "HEAD") throw new SilgiError("METHOD_NOT_ALLOWED", {
+			status: 405,
+			message: `Expected GET, received ${method}`
+		});
+	}
+};
+//#endregion
+export { strictGetGuard };

package/dist/route/add.mjs

@@ -0,0 +1,240 @@
+import { isCatchAll, splitPath } from "./utils.mjs";
+//#region src/route/add.ts
+/**
+* Add a route to the router.
+*
+* Supports all rou3 patterns:
+* - Static: `/users/list`
+* - Params: `/users/:id`
+* - Regex params: `/users/:id(\\d+)`
+* - Unnamed regex: `/path/(\\d+)`
+* - Wildcards: `/files/**`, `/files/**:rest`
+* - Single wildcard: `/blog/*`
+* - Wildcard patterns: `/files/*.png`, `/files/file-*-*.png`
+* - Optional: `/users/:id?`, `/api/:version?/users`
+* - One-or-more: `/files/:path+`
+* - Zero-or-more: `/files/:path*`
+* - Non-capturing groups: `/book{s}?`, `/blog/:id(\\d+){-:title}?`, `/foo{/bar}?`
+* - Mixed params: `/npm/@:param1/:param2`
+* - Escaped: `/static\\:path/\\*`
+*/
+function addRoute(ctx, method, path, data) {
+	const hasEscapes = /\\[:*(){}]/.test(path);
+	if (hasEscapes) path = path.replace(/\\:/g, "�A").replace(/\\\*/g, "�B").replace(/\\\(/g, "�C").replace(/\\\)/g, "�D").replace(/\\\{/g, "�E").replace(/\\\}/g, "�F");
+	const expanded = expandGroups(path);
+	if (expanded) {
+		for (const p of expanded) addRoute(ctx, method, hasEscapes ? p : p, data);
+		return;
+	}
+	const modExpanded = expandModifiers(path);
+	if (modExpanded) {
+		for (const p of modExpanded) addRoute(ctx, method, p, data);
+		return;
+	}
+	const segments = splitPath(path);
+	const paramMap = [];
+	const paramRegex = [];
+	let hasRegex = false;
+	let isStatic = true;
+	let node = ctx.root;
+	for (let i = 0; i < segments.length; i++) {
+		let segment = segments[i];
+		if (hasEscapes) {
+			segment = decodeEscapes(segment);
+			segments[i] = segment;
+		}
+		if (isCatchAll(segment)) {
+			isStatic = false;
+			if (!node.wildcard) node.wildcard = { key: "**" };
+			node = node.wildcard;
+			if (segment.length > 2 && segment.charCodeAt(2) === 58) paramMap.push([
+				i,
+				segment.slice(3),
+				false
+			]);
+			else paramMap.push([
+				i,
+				"_",
+				false
+			]);
+			break;
+		}
+		if (segment === "*" || segment.includes("*") && !segment.startsWith("**")) {
+			isStatic = false;
+			if (segment === "*") _setMethod(node, method, data, [...paramMap], [...paramRegex], hasRegex, false);
+			if (!node.param) node.param = { key: "*" };
+			node = node.param;
+			paramMap.push([
+				i,
+				String(paramMap.length),
+				true
+			]);
+			if (segment !== "*") {
+				const escaped = segment.replace(/[.*+?^${}()|[\]\\]/g, (c) => c === "*" ? "([^/]+?)" : `\\${c}`);
+				paramRegex[i] = new RegExp(`^${escaped}$`);
+				hasRegex = true;
+			}
+			continue;
+		}
+		if (segment.startsWith("(") && segment.endsWith(")")) {
+			isStatic = false;
+			if (!node.param) node.param = { key: "*" };
+			node = node.param;
+			const pattern = segment.slice(1, -1);
+			paramMap.push([
+				i,
+				String(paramMap.length),
+				false
+			]);
+			paramRegex[i] = new RegExp(`^${pattern}$`);
+			hasRegex = true;
+			node.hasRegex = true;
+			continue;
+		}
+		if (segment.includes(":") && !hasEscapes) {
+			isStatic = false;
+			if (segment.charCodeAt(0) !== 58 || segment.indexOf(":", 1) !== -1) {
+				if (!node.param) node.param = { key: "*" };
+				node = node.param;
+				const { regex, names } = parseMixedSegment(segment);
+				paramMap.push([
+					i,
+					regex,
+					false
+				]);
+				paramRegex[i] = new RegExp(`^${regex.source}$`);
+				hasRegex = true;
+				node.hasRegex = true;
+				for (const name of names) paramMap.push([
+					i,
+					name,
+					false
+				]);
+				paramMap.splice(paramMap.length - names.length - 1, 1);
+				continue;
+			}
+			let paramSeg = segment.slice(1);
+			if (!node.param) node.param = { key: "*" };
+			let optional = false;
+			if (paramSeg.endsWith("?")) {
+				optional = true;
+				paramSeg = paramSeg.slice(0, -1);
+				_setMethod(node, method, data, [...paramMap], [...paramRegex], hasRegex, false);
+			}
+			node = node.param;
+			const parenIdx = paramSeg.indexOf("(");
+			if (parenIdx !== -1) {
+				const name = paramSeg.slice(0, parenIdx);
+				const pattern = paramSeg.slice(parenIdx + 1, -1);
+				paramMap.push([
+					i,
+					name,
+					optional
+				]);
+				paramRegex[i] = new RegExp(`^${pattern}$`);
+				hasRegex = true;
+				node.hasRegex = true;
+			} else paramMap.push([
+				i,
+				paramSeg,
+				optional
+			]);
+			continue;
+		}
+		if (!node.static) node.static = Object.create(null);
+		if (!node.static[segment]) node.static[segment] = { key: segment };
+		node = node.static[segment];
+	}
+	_setMethod(node, method, data, paramMap, paramRegex, hasRegex, !isStatic && _lastIsCatchAll(segments));
+	if (isStatic) {
+		const normalized = "/" + segments.join("/");
+		ctx.static[normalized] = node;
+		if (normalized.length > 1) ctx.static[normalized + "/"] = node;
+	}
+}
+function expandGroups(path) {
+	const match = path.match(/\{([^}]+)\}\?/);
+	if (!match) return null;
+	const before = path.slice(0, match.index);
+	const content = match[1];
+	const after = path.slice(match.index + match[0].length);
+	return [before + content + after, before + after];
+}
+function expandModifiers(path) {
+	const segments = path.split("/");
+	for (let i = 0; i < segments.length; i++) {
+		const m = segments[i].match(/^(.*:[\w-]+(?:\([^)]*\))?)([?+*])$/);
+		if (!m) continue;
+		const pre = segments.slice(0, i);
+		const suf = segments.slice(i + 1);
+		const modifier = m[2];
+		const baseName = m[1].match(/:([\w-]+)/)?.[1] || "_";
+		const cleanPre = pre.filter(Boolean);
+		if (modifier === "?") {
+			if (i < segments.length - 1) return ["/" + cleanPre.concat(m[1]).concat(suf).join("/"), "/" + cleanPre.concat(suf).join("/")];
+		} else if (modifier === "+") return ["/" + [
+			...cleanPre,
+			`**:${baseName}`,
+			...suf
+		].join("/")];
+		else if (modifier === "*") return ["/" + [
+			...cleanPre,
+			`**:${baseName}`,
+			...suf
+		].join("/"), "/" + [...cleanPre, ...suf].join("/")];
+	}
+	return null;
+}
+function parseMixedSegment(segment) {
+	const names = [];
+	let pattern = "";
+	let i = 0;
+	while (i < segment.length) if (segment[i] === ":") {
+		let j = i + 1;
+		while (j < segment.length && /[\w-]/.test(segment[j])) j++;
+		if (j < segment.length && segment[j] === "(") {
+			const end = segment.indexOf(")", j);
+			const name = segment.slice(i + 1, j);
+			const constraint = segment.slice(j + 1, end);
+			names.push(name);
+			pattern += `(?<${name.replace(/-/g, "_")}>${constraint})`;
+			i = end + 1;
+		} else {
+			const name = segment.slice(i + 1, j);
+			names.push(name);
+			pattern += `(?<${name.replace(/-/g, "_")}>[^/]+?)`;
+			i = j;
+		}
+	} else {
+		pattern += segment[i].replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+		i++;
+	}
+	return {
+		regex: new RegExp(pattern),
+		names
+	};
+}
+function decodeEscapes(segment) {
+	return segment.replace(/\uFFFDA/g, ":").replace(/\uFFFDB/g, "*").replace(/\uFFFDC/g, "(").replace(/\uFFFDD/g, ")").replace(/\uFFFDE/g, "{").replace(/\uFFFDF/g, "}");
+}
+function _setMethod(node, method, data, paramMap, paramRegex, hasRegex, catchAll) {
+	if (!node.methods) node.methods = Object.create(null);
+	const entry = {
+		data,
+		paramMap: paramMap.length > 0 ? paramMap : void 0,
+		paramRegex,
+		catchAll: catchAll || void 0
+	};
+	if (hasRegex) node.hasRegex = true;
+	const key = method || "";
+	if (!node.methods[key]) node.methods[key] = [];
+	if (hasRegex) node.methods[key].unshift(entry);
+	else node.methods[key].push(entry);
+}
+function _lastIsCatchAll(segments) {
+	if (segments.length === 0) return false;
+	const last = segments[segments.length - 1];
+	return last === "**" || last.startsWith("**:");
+}
+//#endregion
+export { addRoute };